30-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Understanding Cluster Load Balancing (ASA)
Understanding Cluster Load Balancing (ASA)
In a remote client configuration in which you are using two or more devices connected to the same
network to handle remote sessions, you can configure these devices to share their session load. This
feature is called load balancing. Load balancing directs session traffic to the least loaded device, thus
distributing the load among all devices. Load balancing is effective only on remote sessions initiated
with an ASA device.
To implement load balancing, you must group two or more devices on the same private LAN-to-LAN
network into a virtual cluster. All devices in the virtual cluster carry session loads. One device in the
virtual cluster, called the virtual cluster master, directs incoming calls to the other devices, called
secondary devices. The virtual cluster master monitors all devices in the cluster, keeps track of how busy
each is, and distributes the session load accordingly.
The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not
tied to a specific physical device—it belongs to the current virtual cluster master. A VPN client trying
to establish a connection connects first to this virtual cluster IP address. The virtual cluster master then
sends back to the client the public IP address of the least-loaded available host in the cluster. In a second
transaction (transparent to the user), the client connects directly to that host. In this way, the virtual
cluster master directs traffic evenly and efficiently across resources.
Dynamic Access Optional for all VPN types.
Global Settings Required: IKEv2 IPsec.
Optional: IKEv1 IPsec, SSL.
Group Policies Required for all VPN types.
Public Key Infrastructure Required: IKEv2 IPsec.
Also required if you configure any trustpoints for
IKEv1 IPsec or SSL VPNs. Otherwise, it is
optional.
Certificate To Connection Profile Maps, Policy
and Rules
Optional: IKEv1 IPsec.
Not used in: IKEv2 IPsec, SSL.
IKE Proposal Required: IKEv1 IPsec, IKEv2 IPsec.
Not used in: SSL.
IPsec Proposal (ASA/PIX 7.x) Required: IKEv1 IPsec, IKEv2 IPsec.
Not used in: SSL.
Access Required: IKEv2 IPsec, SSL.
Not used in: IKEv1 IPsec.
Other Settings Required: IKEv2 IPsec, SSL.
Not used in: IKEv1 IPsec.
Shared License Optional: IKEv2 IPsec, SSL.
Not used in: IKEv1 IPsec.
Table 30-1 Remote Access VPN Policy Requirements for ASA Devices (Continued)
Policy Required, Optional